CSE 246: Computer Arithmetic Algorithms and Hardware DesignNumbers: RNS, DBNS, Montgomory

Prof Chung-Kuan Cheng

Lecture 3

How to compare two RNS numbers We can approximate the magnitude of a RNS

number by the following formula

MpppRNSxxx

Mx kkkk )|...||()|...||( 021021

1

01)(

k

iMOD

i

ii

Px

jjPM

iPi

i PM ])[( 1

where

An Example

Suppose,x = (6|3|0) RNS (7|5|3)y = (3|0|1) RNS (7|5|3)

Then we havex/105 = [6(1/7) + 3(1/5) + 0(2/3)] mod 1 ≈ 0.457y/105 = [3(1/7) + 0(1/5) + 1(2/3)] mod 1 ≈ 0.095

Clearly, x (48) is greater than y (10).

Double Base Number System (DBNS) DBNS is a new kind of number system,

where there are two bases, p and q. Any number x is represented by the equation

Also, this number system could be redundant, e.g.54 = 2030+2130+2131+2031+2032+2232

= 2133

ji

ijji

ij pdqpqpdx,

0;,

Double Base Number System (DBNS) We can represent DBNS numbers in a two-dimensional

table. For example we can express 54 by this tabular representation.

1 2 4

1 x x

3 x

9 x x

For each entry in the table, we multiply the corresponding row-value and column-value. Then we add up all such entries to get the value of the number represented by the table.

Double Base Number System (DBNS) DBMS can be of practical use too in some

scenarios. In binary number representation, each bit has

approximately 0.5 probability of being 1. But in DBNS, the number of bits that are logic 1 in

the tabular representation could be much less. Effectively, we can reduce the number of 01

and 10 transitions, thus saving power.

Double Base Number System (DBNS)A greedy approach to minimize the number of TRUE bits in the tabular representation of any integer :

GREEDY (x){ if (x > 0) then do{

find the largest 2-integer w such that w ≤ x;write(w);x = x-w;greedy(x);

}}

Double Base Number System (DBNS)• It can be shown that expected number of bits that are ‘turned on’ in a DBNS representation of integer is

•O[lg x/(lg lg x)], which is significantly lower than the corresponding number in the positional binary system, O(lg x).

• As an example, consider the integer 2215

• In binary system, number of ‘1’s ≈ 100

• In DBNS, number of ‘1’s ≈ 30

• In the next few slides we shall discuss how we can implement ADDITION operation on two DBNS numbers.

DBNS Numbers: AdditionConsider the integers 14 and 20. In DBNS system,

14 = 2231 + 2130 [We represent this number by a green cross]

20 = 2132 + 2130 [We represent this number by a red cross]

The addition operation is performed by representation the numbers in tabular form, and then ‘merging’ the tables.

1 2 4

1 xx

3 x

9 x

DBNS System: AdditionThe final merged table is :

1 2 4

1 +

3 +

9 +

And the sum of 14 and 20 is

2230 + 2231 + 2132 = 34, which is indeed correct

DBNS System: Addition

Few rules for ‘shifting’ values in the merged table We can always use algebraic manipulations to

minimize number of entries in a DBNS table, e.g. 2i3j + 2i3j+1 = 2i+23j

2i3j + 2i+13j = 2i3j+1

A variant of 2-integers are represented by using only single digit. They are of the form 2s3t, and might be useful in logarithmic operations.

MontgomeryMultiplication

David Harris Harvey Mudd CollegeClaremont, CA 91711

David_Harris@hmc.edu

Outline Cryptography Overview Finite Field Mathematics Montgomery Multiplication

Cryptography Overview

Encryption has become essential E-commerce (SSL) Communications / network processors Smart cards / digital cash Military

Two major classes of algorithms Symmetric cryptosystems (e.g. DES) Public key cryptosystems (e.g. RSA)

Cryptographic Protocols Alice and Bob would like to communicate

securely. Eve wants to listen in. Symmetric key:

Alice and Bob must share a key for encryption and decryption.

If Eve hears it, she can read the messages. Public key:

Alice publishes her public key to the world. Bob encrypts with Alice’s public key. Alice can decrypt only with her private key. Eve can’t decrypt with the public key.

Digital Signatures

Alice wants to sign a contract in a way that only she can do. Alice publishes her public key and keeps the

private key secret. Encrypt the document with her secret key. Anyone can decrypt the document with her public

key But nobody can forge her signature.

Key Exchange

Public key encryption is slow Use it to share a symmetric key

Use symmetric key to encrypt large blocks of data

RSA Encryption Most widely used public key system.

Good for encryption and signatures. Invented by Rivest, Shamir, Adleman (1978)

Public e and private d keys are long #s n = 256-2048+ bits Satisfy xde mod M = x for all x Finding d from e is as hard as factoring M

Encryption: B = Ae mod M Decryption: C = Bd mod M = Aed = A

Modular Exponentiation

Critical operation in RSA and for Digital signature algorithm Diffie-Hellman key exchange Elliptic curve cryptosystems

Done with 2n modular multiplications Ex: A27 = ((((((A2) * A)2)2) * A)2) * A Division required after each multiplication to

compute modulo

Finite Field Mathematics

+, * modulo prime p form a finite field p elements Additive identity: 0 Multiplicitive identity: 1 Each nonzero number has a unique inverse x-1

Named GF(p) For Evariste Galois, a 19th century number theorist killed

in a duel at age 20

Binary Extension Fields Building blocks are polynomials in x

Operations performed modulo some irreducible polynomial f(x) of degree n

Arithmetic done modulo 2 Called GF(2n)

Example: GF(23)

Computation is the same as GF(p) Except that no carries are propagated

Element Code

0 000

1 001

x 010

x+1 011

x2 100

x2 +1 101

x2+x 110

x2+x+1 111

Montgomery Multiplication

Faster way to do modular exponentation Operate on Montgomery residues Division becomes a simple shift Requires conversion to and from residues only

once per exponentiation

Montgomery Residues

Let the modulus M be a prime n-bit integer

Define r = 2n

Define the M-residue of an integer a < M as

There is a one-to-one correspondence between integers and M-residues for 0 < a < M-1

nn M 22 1

Mara mod

M-Residue Examples

M = 11, r = 16

611 mod 16*1010

111 mod 16*99

711 mod 16*88

211 mod 16*77811 mod 16*66

311 mod 16*55911 mod 16*44

411 mod 16*33

1011 mod 16*22

511 mod 16*11

011 mod 16*00

Montgomery Multiplicaton Define

Where r-1 is the inverse of r mod M: r-1r = 1 (mod M)

This gives the Montgomery residue of z = xy mod M

MryxyxMMz mod),( 1

MzrMxyr

Mryrxr

Mryxz

mod mod

mod))((

mod1

1

Montgomery Multiplicaton

MyxMMyrMxr

Mryxyx

mod)(mod)mod mod(

mod)()(

Mont. Multiplication Example

711 mod 9*7*5)7,5()111 mod 9*16( 91

MMr

It may not be obvious that this is easier to do than regular modular multiplication.

Red(T)= Tr-1mod M

Algorithm

m= T M’ mod r (0<= m < r) t= (T+mM)/r If t>=M, return t-M else return t

Red(T)= T r-1 mod M

Let M’= (-M-1) mod r, i.e. rr-1-M’M=1

ExampleRed(T)= T r-1 mod M

Let M’= -M-1 mod r, i.e. rr-1-M’M=1 r= 16 M= 11 r -1 mod M = 9 M’= -M-1 mod r = 13

rr -1-M’M= 16x9-13x11= 1

Example Red(T)= T r-1 mod M

r= 16, M= 11, r -1 = 9, M’= 13 m= (T M’ )mod r t= (T+mM)/r If t>=M, t-M else return tRed(1)

m=1x13 mod 16= 13t= (1+13x11)/16= 144/16= 9Red(1)= 9

Red(1)= 1x9 mod 11= 9

Example Red(T)= T r-1 mod M

r= 16, M= 11, r-1 = 9, M’= 13 m= T M’ mod r t= (T+mM)/r If t>=M, t-M else return tRed(2)

m=2x13 mod 16= 10t= (2+10x11)/16= 112/16= 7Red(2)= 7

Red(2)= 2x9 mod 11= 7

Example Red(T)= T r-1 mod M

r= 16, M= 11, r-1 = 9, M’= 13 m= Tmod r M’ mod r t= (T+mM)/r If t>=M, t-M else return tRed(3)

m=3x13 mod 16= 7t= (3+7x11)/16= 80/16= 5Red(3)= 5

Red(3)= 3x9 mod 11= 5

Example Red(T)= T r-1 mod M

r= 16, M= 11, r-1 = 9, M’= 13 m= Tmod r M’ mod r t= (T+mM)/r If t>=M, t-M else return tRed(103)

m=103x13 mod 16= 11t= (103+11x11)/16= 224/16= 14t= t-M= 14-11=3Red(103)= 3

Red(103)= 103x9 mod 11= 3

Proof:(T+mM)/r is an integer

m=TM’ mod r Thus mM mod r = -T mod rTherefore T+mM mod r is 0

t modM = Tr-1 modMt= (T+mM)/rThus tr = T+mMConsequently, tr mod M= T mod M

0<= t < 2M0<= T+mM< rM+rM

Montgomery Multiplier

MM is an easier operation that requires no hard division, just shifting

In radix 2,

Z = 0for i = 0 to n-1Z = Z + xi•Yif Z is odd then Z = Z + MZ = Z/2

if Z ≥ M then Z = Z – M

Example

X = 7 = 0111 Y = 5 = 0101 M = 11 = 1011

Z initially 0 Z = (0 + 5 + 11) / 2 = 8 Z = (8 + 5 + 11) / 2 = 12 Z = (12 + 5 + 11) / 2 = 14 Z = (14 + 0) / 2 = 7 (final result)

Z = 0for i = 0 to n-1

Z = Z + xi•Yif Z is odd then Z

= Z + MZ = Z/2

if Z ≥ M then Z = Z – M

Conversion

Conversion of integers to/from Montgomery residues takes one MM operation (if r2 mod M is precomputed and saved):

Modular exponentiation takes two conversion steps and 2n multiplication steps.

xMrxrMrxxMMx

MxrMrxrrxMMx

mod 1 mod1)1,(

mod mod),(11

122